Survey Widget Content Security Policy (CSP)
If your website uses a Content Security Policy, you'll need to add Mapster's domains to your CSP directives so the survey widget can load and function correctly.
Documentation
Survey Widget Not Loading? How to Check if CSP is the Problem
If you installed the Mapster widget but don't see the survey appearing, your site's Content Security Policy may be blocking it.
1. Open your website in Chrome or Firefox
2. Open DevTools
F12 or Cmd+Shift+I
3. Go to the Console tab and look for an error like:
Refused to load the script 'https://www.mapster.io/widget.js'
because it violates the following Content Security Policy
directive: "script-src 'self'".If you see this error, your CSP is blocking the Mapster widget. Add the directives from the table below to fix it.
What is CSP?
Content Security Policy (CSP) is a security feature that helps prevent cross-site scripting (XSS) attacks and other code injection threats. It works by telling the browser which resources (scripts, styles, fonts, etc.) are allowed to load on your page.
If your site uses CSP, external resources that aren't explicitly allowed will be blocked by the browser - including the Mapster widget.
If you don't have a CSP configured, the widget will work out of the box with no extra setup needed.
If You Have CSP configured - Required Directives
Add the following domains to your policy:
| Directive | Value | Why |
|---|---|---|
| script-src | https://www.mapster.io https://cdn.jsdelivr.net | Widget script + React library from CDN |
| style-src | 'unsafe-inline' | Widget injects inline CSS for styling |
| connect-src | https://www.mapster.io | API calls for poll data, responses, and analytics |
| font-src | https://www.mapster.io | Custom fonts (if used in your survey theme) |
| img-src | data: blob: https: | Inline images, icons, and survey logos |
What Each Domain Is Used For
www.mapster.io
The widget script (/widget.js), API endpoints for fetching survey data and submitting responses, custom fonts, and analytics events.
cdn.jsdelivr.net
React 19 UMD bundles loaded by the widget at runtime. These are loaded from cdn.jsdelivr.net/npm/umd-react@19.2.1.
API Endpoints
The widget makes requests to the following www.mapster.io endpoints. These are covered by the connect-src directive.
| Endpoint | Method | Purpose |
|---|---|---|
| /api/polls/get-poll | GET | Fetch survey configuration and questions |
| /api/polls/answer-poll | POST | Submit survey responses |
| /api/event | POST | Track page views and survey events |
Still having issues? Contact us and we'll help you configure your CSP.